Infosec Weekly Roundup, April 2 – 8 , 2012

The first up for this week is a brilliant post by Yasser Aboukir about a new way for SQL Injection through HTTP Headers.

“During vulnerability assessment or penetration testing, identifying the input vectors of the target application is a primordial step. Sometimes, when dealing with Web application testing, verification routines related to SQL injection flaws discovery are restricted to the GET and POST variables as the unique inputs vectors ever. What about other HTTP header parameters?…”

The second article is about cloud computing security and the data encryption in the cloud.

“In many cases it’s advised that the master key is not even kept on the same premises as the systems that use it. It must be locked up, safely, offsite; transported via a secure briefcase, handcuffed to a security officer and guarded by dire wolves. With very, very big teeth.”

Anonymous group still active and over this week they launched a DDoS against UK Prime Minister website.

“Anonymous hacktivists have launched a distributed denial-of-service attack against the websites of 10 Downing Street and the British government’s Home Office website, preventing legitimate users from visiting the sites by flooding them with unwanted internet traffic.”

This have been the most shared topic in the news as a vulnerabilitity in a third part application and here we are talking about Oracle Java costed Apple to releas two update in two days. Vulnerability affected 600000 Macs to make them open to Flashback Trojan.

“ Flashback would now have infected more than 1 percent of them, making Flashback roughly as common for Mac as Conficker was for Windows. Flashback appears to be the most widespread Mac malware we’ve seen since the days when viruses were spread on infected floppy disks; it could be the single most significant malware infection to ever hit the Mac community.”